Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2.

Jeremy.

1 files changed, 29 insertions, 8 deletions

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 88454c1222..757618ea2d 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -553,15 +553,25 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 	}
 #endif
 
-	/* Fall back to NTLMSSP. */
-	status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto out;
-	}
+	if (kerb_mech) {
+		/* The mechtoken is a krb5 ticket, but
+		 * we need to fall back to NTLM. */
 
-	status = auth_ntlmssp_update(session->auth_ntlmssp_state,
-				     secblob_in,
-				     &chal_out);
+		DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
+			"but set to downgrade to NTLMSSP\n"));
+
+		status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+	} else {
+		/* Fall back to NTLMSSP. */
+		status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto out;
+		}
+
+		status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+					     secblob_in,
+					     &chal_out);
+	}
 
 	if (!NT_STATUS_IS_OK(status) &&
 			!NT_STATUS_EQUAL(status,
@@ -744,6 +754,17 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 			SAFE_FREE(kerb_mech);
 			return NT_STATUS_LOGON_FAILURE;
 		}
+
+		data_blob_free(&secblob_in);
+	}
+
+	if (session->auth_ntlmssp_state == NULL) {
+		status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+		if (!NT_STATUS_IS_OK(status)) {
+			data_blob_free(&auth);
+			TALLOC_FREE(session);
+			return status;
+		}
 	}
 
 	status = auth_ntlmssp_update(session->auth_ntlmssp_state,